Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
SB5101 Diag issues
#1
Hi there everyone!, (ABMJR and Southern specially) I have been reading a lot of this forum (and SBH, USBJTAG, etc. before I made my 1st post), trying to figure a way to get my diag modem working.

I have an SB5101+Haxor1.1r39 (South American ISP, won't get into details thanks to the f*kr which made a business out of this and got us all f*kd) which was working fine in a different node at my old place, now I moved and the security is a whole different breed in this node.

With BPI+Bypass I get all lights on but I won't get any IP (IP 169.xx.xx.xx), Meaning that the DHCP is not providing any IP (DHCP shutdown/IP lease killed).

I guess that the proper security in my node is BPI+ (autoserve is out of the question), as I get stuck with a blinking Online LED, waiting for some certs to be injected (out of memory I think is 301.8 auth reject) or the bypass commands thru telnet which Im still studying.

So to resume it, after a lot of research (and lots more to come), I saved a dump of the CM Log and found out that the CMTS is requesting a CVC and BPKM keys (which I guess its all part of the same security process).

So, after doing some more reading and studying the putty log, I ended getting to the conclusion that I had to flash a 2MB virgin dump so the CVC/MAC pair/signature was valid in order to complete the handshake; I found out that my BlackCat is either dead or with driver issues, whatever, made some more reading and ended up getting a USBJTAG NT (pros choice apparently) to get the job done.

So here I am,with hax39 Lite, online and on the provisioning screen [which I cannot get thru cause the CMTS says my levels are out of limit, DS: 2.80 dBmV (seems ok), US: 7.00 dBmV (not OK), SNR: 39.40 dB(OK). ], do you suggest to fix the US level and provision it? Where can this lead me? (I have a 5100 and I flashed a virgin 2MB dump too, then 5100mod, same results)

I also tried getting the config from bpi+bypass and then loading it, but is not accepting autoserve in any way. Tried also loading the certs when a different MAC was changed, but I get the AUT-REJECT, guess it has to be done in a specific time as ABMJR suggests with TELNET.

What about a no-CVC firmware? I still have to compare the two logs, the one with the error and the provisioned one, but work is killing me and I have to invest my days off reading up-late @night (:

Hope my post is not too extensive, any help into getting me into the right direction will be greatly appreciated.

Thanks M8s!
Reply
#2

we used haxorw, uploaded cfg.bin from 2mb flash of virgin @ forocable.com
setted bpi+bypassed not work, then bpi+docsis 1.1, got operational
see co-cvc valid on telnet.txt, but get "automated provisioning"
tried fastcert; insert them @baseline privacy, it worked
=
here some tips about fastcert:
http://www.haxorware.com/forums/archive/...-1979.html
Reply
#3
(30-10-2012, 11:44 PM)trina38nguyen Wrote: we used haxorw, uploaded cfg.bin from 2mb flash of virgin @ forocable.com
setted bpi+bypassed not work, then bpi+docsis 1.1, got operational
see co-cvc valid on telnet.txt, but get "automated provisioning"
tried fastcert; insert them @baseline privacy, it worked
=
here some tips about fastcert:
http://www.haxorware.com/forums/archive/...-1979.html

Gracias por los tips!

Lemme work on some of that magic my friend!

Will let you know how did it go.

Thnx again.
Reply
#4
Tried fastcert and no-go. I remember using it before under my sub and got nothing (guess it only works with factory mode modems).

Tried using different IPs and under the non-provisioned CM, with factory mode enable, and same thing. Not a single return. I guess grabbing certs using this method is worthless in my area.

Reply
#5
(31-10-2012, 08:27 AM)mandrake77 Wrote: Tried fastcert and no-go. I remember using it before under my sub and got nothing (guess it only works with factory mode modems).

Tried using different IPs and under the non-provisioned CM, with factory mode enable, and same thing. Not a single return. I guess grabbing certs using this method is worthless in my area.

Alright... tried something different. Let the cm get online with the virgin fw and hxr lite (equivalent to an unprovisioned cm out of the box). So I get to the activation screen.

Decided to "provision myself" some IPs+DNS (without causing any conflicts with the ones already registered by SUB users), so I'm "online" now but according to my config Im only getting about 67.2Kbit speed. Google is fast as hell, get a pretty nice ping, but trying to ping my ISP is merely impossible.

Last night I got a 2KB config, with a string requesting a FW upgrade and 4 manufacturer CVCs, so I spoofed the requested FW version and now its a 1KB config without the CVCs.

A telnet log might help?

Thanks to anyone watching willing to help
Reply
#6
_Good!..guess that "... virgin fw and hxr lite (equivalent to an unprovisioned cm out of the box)..." make thing different!!?
we read @ haxor home say:
"...The DIAG build is based on SB5102-2.7.6.0-DIAG
The LITE build is based on SB5101E-2.7.5.0-LTSH.."
now we know; this is nice tip, Mandrake77!
=
here, some info. of autoserv config:
http://www.haxorware.com/forums/archive/...661-3.html

Reply
#7
Code:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.11.11 19:54:56 =~=~=~=~=~=~=~=~=~=~=~=
Haxorware integrated telnet daemon

Username: root
Password: *****
Welcome.

CM>
CM> run
CM>  
CM> run_app


Running the system...


Beginning Cable Modem operation...

0x0000c62a [Scan Downstream Thread] BcmVendorCmDownstreamScanThread::ThreadMain:  (Scan Downstream Thread) Scanning for a Downstream Channel...

mot_scanList: Setting override freq @ 0
Favorite[0].freq = 699000000
Attempting Downstream FEC lock @ freq= 699000000 Hz, QAM64/256

CM> Found energy at frequency 699000000Hz!  Publishing event kEventEnergyDetected...
0x0000c88c [CmDocsisCtlThread] BcmCmDocsisCtlThread::StartUsInit:  (CmDocsisCtlThread) Locked on the downstream.  Waiting for UCDs...

******************************************
            DOWNSTREAM STATUS
******************************************
  Tuner Frequency = 699000000 Hz
   Carrier Offset = 3 Hz
      Symbol rate = 5360537 sym/sec
              SNR = 40 dB
         QAM Mode = QAM256
        Tuner AGC = 0xfff00000
           IF AGC = 0x1402abc6
      Power Level = 6 dB
              QAM = LOCKED
              FEC = LOCKED
******************************************


CM> Selecting UCD for Us Channel 10

0x0000d232 [CmDocsisCtlThread] BcmCmDocsisCtlThread::TestAndLaunchDsTimeSync:  (CmDocsisCtlThread) starting ds time sync acquisition...
0x0000d4d0 [CmDocsisCtlThread] BcmCmDocsisCtlThread::SyncDsSyncOk:  (CmDocsisCtlThread) downstream time sync acquired...
0x0000d4d0 [CmDocsisCtlThread] BcmCmDocsisCtlThread::DsSyncOkResumeUsInit:  (CmDocsisCtlThread) pre-REG upstream target case...starting initial ranging.
Beginning initial ranging...
Using stored initial upstream power = 45.0 dBmV
0x0000d4d0 [CmDocsisCtlThread] BcmCmDocsisCtlThread::SyncDsSyncOk:  (CmDocsisCtlThread) rx unexpected kDsSyncOk indication...
Not logging event ID 2307948724, control  for level 7 is 0.

CM>
RNG-RSP  Adj: tim=1461 power=-1 freq=0  Stat=Continue

CM>
RNG-RSP  Adj: tim=0 power=-1 freq=-290  Stat=Success

******************************************
            UPSTREAM STATUS
******************************************
       Upstream Status = UP
      Upstream Channel = 10
    Upstream Frequency = 25000000 Hz
        Upstream Power = 44 dBmV
           Ranging SID = 0x1438
  Upstream Symbol Rate = 2560000 sym/sec
******************************************

Calculating maximum number of IP filters:
  Each IP filter consumes 1864 bytes of RAM.
  Current free RAM is 424704 bytes.
  Max heap reserved for IP filters (25%) = 106176
  We can support 56 IP filters.
Calculating maximum number of LLC filters:
  Each LLC filter consumes 744 bytes of RAM.
  Current free RAM is 424684 bytes.
  Max heap reserved for LLC filters (25%) = 106171
  We can support 142 LLC filters.
Starting IP Initialization with DHCP...
DHCPc:  Waiting 4 seconds before sending Discover; client id htype=1, value=00:1a:XX:XX:XX:XX
Not logging event ID 2307948624, control  for level 7 is 0.

CM> 0x0000e164 [DHCP Server Thread] BcmDhcpServerThread::ThreadMain:  (DHCP Server Thread) Callback request expired:
timerDuration secs = 1
current time secs = 57
elapsed time secs = 1

CM> DHCPc:  Sending Discover packet; client id htype=1, value=00:1a:XX:XX:XX:XX
DHCPc:  Received an Offer from DHCP server 00:01:XX:XX:XX:XX (10.7.224.1); lease client id htype=1, value=00:1a:XX:XX:XX:XX

CM> DHCPc:  Timed out waiting for offers for lease with client id htype=1, value=00:1a:XX:XX:XX:XX
DHCPc:  Sending Request packet; client id htype=1, value=00:1a:XX:XX:XX:XX
DHCPc:  Received an Ack from DHCP server 00:01:XX:XX:XX:XX (10.7.224.1); lease client id htype=1, value=00:1a:XX:XX:XX:XX
Current IP address is default 0.0.0.0.
0x0000f50a [DHCP Client Thread] BcmEcosIpHalIf::ConfigureLeaseImpl:  (IP Stack1 HalIf)
Configuring IP stack 1:
  IP Address = 10.7.224.237 (primary IP address)
   Subnet Mask = 255.255.252.0
   Router = 10.7.224.1
   IsPrimaryInterface = 1

Logging event: DHCP WARNING - Non-critical field invalid in response.
ARPing for default GW IP = 10.7.224.1
MAC = 00:01:XX:XX:XX:XX
DHCP completed successfully!

DHCP Settings:
                     Client Id = htype=1, value=00:1a:XX:XX:XX:XX
                         State = Renewing (5)
                  Static Lease = 0
               AutoConfig Mode = IP, Subnet and Router
                           XID = 0x1054fdbd
               Number of Tries = 0
            Max Discover Tries = 6
             Max Request Tries = 6
          DHCP server MAC addr = 00:01:XX:XX:XX:XX
                   Ignore NAKs = 0
         My offered IP address = 10.7.224.237 (primary IP address)
               (1) Subnet Mask = 255.255.252.0
         (3) Router IP address = 10.7.224.1
   (54) DHCP Server IP address = 192.168.10.10
   (82) Relay Agent IP address = 10.7.224.1
        TFTP Server IP address = 10.7.224.1
         CM Configuration file = 'cm-001XXXXXXX'
           (2) UTC Time Offset = -18000 seconds
    (4) Time Server IP address = 192.168.10.24
        (6) Domain Name Server =
     (7) Log Server IP address = 200.75.200.7
               (51) Lease time = 2929 seconds
               (58) T1 (renew) = 1464 seconds
              (59) T2 (rebind) = 2562 seconds
             Lease is infinite = 0

   (122) PacketCable/CableHome -== SubOptions ==-
              SubOpt(1) Primary Dhcp Server = 255.255.255.255


SB5102 CM Agent w/ BRCM Factory Support IpStackEvent: Ip=10.7.224.237, Subnet=255.255.252.0, Gateway=10.7.224.1
  CmSnmpAgent::IpAddressAcquiredEvent for SB5102 CM Agent w/ BRCM Factory Support
    IP addr = 10.7.224.237
Starting Time Of Day...
0x0000f5aa [CmDocsisIpThread] BcmDocsisTimeOfDayThread::SetTodServerIpAddress:  (Time Of Day Thread) ToD servers:  192.168.10.24
Connecting to ToD server 192.168.10.24...
Sending UDP ToD request to server...
SNMP Agent Binding to 10.7.224.237:225
Not logging event ID 2291949724, control  for level 7 is 0.

CM> UTC returned by ToD server 3561670522; UTC offset -18000
Current system time -> Sun Nov 11 19:55:22 2012

System start time -> Sun Nov 11 19:54:19 2012

Starting Tftp of configuration file...
Opening file 'cm-001XXXXXXX' on 10.7.224.1 for reading...
tftp-enforce bypass is using 10.7.224.1:cm-001XXXXXXX
Initiating fake TFTP Get (tftp-enforce bypass)
Bypass succeeded.File was 900 bytes
Storing received cfg of size 900 to memory
Tftp read < 512 bytes, we have reached end of file.
Tftp transfer complete!
TFTP Settings:
            Stack Interface = 1
          Server Ip Address = 10.7.224.1
         Server Port Number = 6934
          Total Blocks Read = 2
           Total Bytes Read = 900

Config file was read!  IP Initialization completed...
MAX CPE per CM is being set to 32
TLV-11[1]: 1.3.6.1.2.1.69.1.2.1.7.1 -> 4 (i32)
TLV-11[2]: 1.3.6.1.2.1.69.1.2.1.2.1 -> 192.168.129.128
TLV-11[3]: 1.3.6.1.2.1.69.1.2.1.3.1 -> 255.255.255.128
TLV-11[4]: 1.3.6.1.2.1.69.1.2.1.4.1 -> private
TLV-11[5]: 1.3.6.1.2.1.69.1.2.1.5.1 -> 3 (i32)
TLV-11[6]: 1.3.6.1.2.1.69.1.2.1.6.1 -> @
TLV-11[7]: 1.3.6.1.2.1.69.1.2.1.7.2 -> 4 (i32)
TLV-11[8]: 1.3.6.1.2.1.69.1.2.1.2.2 -> 192.168.10.0
TLV-11[9]: 1.3.6.1.2.1.69.1.2.1.3.2 -> 255.255.255.0
TLV-11[10]: 1.3.6.1.2.1.69.1.2.1.4.2 -> private
TLV-11[11]: 1.3.6.1.2.1.69.1.2.1.5.2 -> 3 (i32)
TLV-11[12]: 1.3.6.1.2.1.69.1.2.1.6.2 -> @
TLV-11[13]: 1.3.6.1.2.1.69.1.2.1.7.3 -> 4 (i32)
TLV-11[14]: 1.3.6.1.2.1.69.1.2.1.2.3 -> 192.168.129.128
TLV-11[15]: 1.3.6.1.2.1.69.1.2.1.3.3 -> 255.255.255.128
TLV-11[16]: 1.3.6.1.2.1.69.1.2.1.4.3 -> private
TLV-11[17]: 1.3.6.1.2.1.69.1.2.1.5.3 -> 3 (i32)
TLV-11[18]: 1.3.6.1.2.1.69.1.2.1.6.3 -> HEX:C7
TLV-11[19]: 1.3.6.1.2.1.69.1.2.1.7.4 -> 4 (i32)
TLV-11[20]: 1.3.6.1.2.1.69.1.2.1.2.4 -> 200.75.200.26
TLV-11[21]: 1.3.6.1.2.1.69.1.2.1.3.4 -> 255.255.255.255
TLV-11[22]: 1.3.6.1.2.1.69.1.2.1.4.4 -> private
TLV-11[23]: 1.3.6.1.2.1.69.1.2.1.5.4 -> 3 (i32)
TLV-11[24]: 1.3.6.1.2.1.69.1.2.1.6.4 -> @
TLV-11[25]: 1.3.6.1.2.1.69.1.6.3.0 -> 2 (i32)
TLV-11[26]: 1.3.6.1.2.1.69.1.2.1.8.1 -> 1 (i32)
TLV-11[27]: 1.3.6.1.2.1.69.1.6.1.0 -> 2 (i32)
TLV-11[28]: 1.3.6.1.4.1.4115.10.1.20.0 -> 1049648 (i32) UNKNOWN, ignoring.
TLV-11[29]: 1.3.6.1.4.1.4115.1.3.1.1.2.3.2.0 -> 2 (i32) UNKNOWN, ignoring.
TLV-11[30]: 1.3.6.1.4.1.4115.1.3.1.1.2.3.5.4.0 -> 3 (i32) UNKNOWN, ignoring.
TLV-11[31]: 1.3.6.1.4.1.4115.1.3.1.1.2.3.5.3.0 -> 3 (i32) UNKNOWN, ignoring.
Time Of Day completed...
  DefaultSnmpAgentClass::SystemTimeChangeEvent for SB5102 CM Agent w/ BRCM Factory Support
Not logging event ID 2291949524, control  for level 7 is 0.
Not logging event ID 2291949324, control  for level 7 is 0.
SB5102 CM Agent w/ BRCM Factory Support processing TLV-11's
SNMP packet sent to 10.7.224.237:225
  31 TLV-11's OK.
Sending a REG-REQ to the CMTS...
Logging event: TLV-11 - unrecognized OID
Received a REG-RSP message from the CMTS...
0x0000f97e [CmDocsisCtlThread] BcmCmDocsisCtlThread::RegRspMsgEvent:  (CmDocsisCtlThread) We registered with a DOCSIS 1.1 config file!
0x0000f97e [CmDocsisCtlThread] BcmCmDocsisCtlThread::TxRegAckMsg:  (CmDocsisCtlThread) upstream already using standard short/long grant profiles. downshift NOT required.
Logging event: TLV-11 - unrecognized OID
Logging event: TLV-11 - unrecognized OID
Logging event: TLV-11 - unrecognized OID
0x0000f988 [CmDocsisCtlThread] BcmCmDocsisCtlThread::TxRegAckMsg:  (CmDocsisCtlThread) upstream type 2 upshift to adv phy burst profiles!
Registration complete!
Process CVC
0x0000f992 [CmDocsisCtlThread] CmSecureDownload::ProcessConfigFileManufAndCosignerCvcs:  (Secure Software Download) WARNING - No CVC included in config file; software upgrade can't be performed!
0x0000f992 [CmDocsisCtlThread] BcmCmDocsisCtlThread::ProcessCVC:  (CmDocsisCtlThread) ERROR - Config file does not include a valid CVC!
DOCSIS CoS/QoS rate shaping enable is now 1
  CmSnmpAgent::CmOperationalEvent for SB5102 CM Agent w/ BRCM Factory Support
CmSnmpAgent operating in 1.1 mode, including docsQos, excluding docsBpi
+++ No DH kickstart profiles or snmpCommunityTable entries installed.
    We will operate in NMACCESS mode.
SB5102 CM Agent w/ BRCM Factory Support setting V1/V2 view to docsisNmAccessView
SB5102 CM Agent w/ BRCM Factory Support enabling management.
SB5102 CM Agent w/ BRCM Factory Support sending deferred traps...
Done w/ deferred traps.
SB5102 CPE Agent w/ BRCM Factory Support setting V1/V2 view to docsisNmAccessView
0x0000f99c [CmDocsisCtlThread] BcmCmDocsisCtlThread::TestAndLaunchBpkm:  (CmDocsisCtlThread) BPKM enabled. starting BPKM key requests.
SB5102 CM Event Log w/ BRCM Factory Support sending deferred async messages...
Sending syslog message from IF 1 to 200.75.200.7:
  <133> CABLEMODEM [DOCSIS]: <73040100> TLV-11 - unrecognized OID
Sending syslog message from IF 1 to 200.75.200.7:
  <133> CABLEMODEM [DOCSIS]: <73040100> TLV-11 - unrecognized OID
Sending syslog message from IF 1 to 200.75.200.7:
  <133> CABLEMODEM [DOCSIS]: <73040100> TLV-11 - unrecognized OID
Sending syslog message from IF 1 to 200.75.200.7:
  <133> CABLEMODEM [DOCSIS]: <73040100> TLV-11 - unrecognized OID
Done w/ deferred msgs
Not logging event ID 66040100, control  for level 7 is 0.
BPI initialization completed.  Calling ConfigOperational().
Enabling network access for all CPE ports.

mot_scanList: Writing to Flash!
BcmCmDocsisStatusEventCodes::kCmIsOperational
Suspending SNMP Thread
0x0000fbcc [CmDocsisCtlThread] BcmVendorCmApplication::StopDhcpServer:  (VendorExtension CmApp) Shutting down DHCP Server...
0x0000fbcc [CmDocsisCtlThread] BcmStandbySwitchThread::CmIsOperational:  (Motorola Standby Switch Thread) Simulating a press of the standby switch to get the state configured properly.
0x0000fbd6 [IGMP Thread] BcmIgmpThread::Starting Igmp Thread...:  (IGMP Thread)
0x0000fbd6 [Motorola Standby Switch Thread] BcmStandbySwitchThread::ThreadMain:  (Motorola Standby Switch Thread) Standby switch was pressed!
0x0000fbd6 [Motorola Standby Switch Thread] BcmStandbySwitchThread::ProcessSwitchEvent:  (Motorola Standby Switch Thread) Standby switch disabled in nonvol; ignoring event.
Not logging event ID 2296948624, control  for level 7 is 0.

********************

At this point I get wallgardened...  I can "provision" myself an IP, but will get me throttled (and only google)...  

"Autoserving" me the same config the CMTS is providing me will result in an endless bootloop (but with 49TLVs instead of 31)...

Im assuming the CM is rebooting due to the CMIC md5 hash (at the end of the cfg) not been the one the CMTS wants... will Taco's old "0.0.0.0" suggestion to the cfg will aid this?

Thanks m8s[hr]
Here's the log with Autoserve... I beleive D3 is up as well with my ISP, as they are selling D3 speeds, but most of the CMs are D2s

http://pastebin.com/X7BTK7Ae

Reply
#8
What is the maximum download you get?
Reply


Forum Jump:


Users browsing this thread: 4 Guest(s)